Improper Access Control on view student list in 4jean/lav_sms


Reported on

Apr 17th 2022


lav_sms system provide a feature for teachers to view any student in the systems. The problem is when student also can view the student's list. They also can download the list in pdf or excel.

Proof of Concept

1. GET http://lav_sms.test/students/list/{id}

Step to reproduce

1. Login as student
2. navigate to /students/list/{id}


Student could gather the information about other student such as email, photo and adm_no


We are processing your report and will contact the 4jean/lav_sms team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a 2 years ago
Chinedu Okemiri
2 years ago


Thanks for your report. Would fix this issue promptly

Jamie Slome
2 years ago


@4jean - are you able to resolve the report (valid and fixed)?

We have contacted a member of the 4jean/lav_sms team and are waiting to hear back 2 years ago
Chinedu Okemiri validated this vulnerability 2 years ago
nightfury99 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chinedu Okemiri marked this as fixed in 1 with commit 6c6d13 2 years ago
Chinedu Okemiri has been awarded the fix bounty
This vulnerability will not receive a CVE
web.php#L30 has been validated
to join this conversation